CanonicalCVELIST:CVE-2020-11934CVE-2020-11934 Sandbox escape vulnerability via snapctl user-open (xdg-open)
5.9 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
6.3 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
12.7%
It was discovered that snapctl user-open allowed altering the $XDG_DATA_DIRS environment variable when calling the system xdg-open. OpenURL() in usersession/userd/launcher.go would alter $XDG_DATA_DIRS to append a path to a directory controlled by the calling snap. A malicious snap could exploit this to bypass intended access restrictions to control how the host system xdg-open script opens the URL and, for example, execute a script shipped with the snap without confinement. This issue did not affect Ubuntu Core systems. Fixed in snapd versions 2.45.1ubuntu0.2, 2.45.1+18.04.2 and 2.45.1+20.04.2.
CNA Affected
[
{
"product": "snapd",
"vendor": "Canonical",
"versions": [
{
"changes": [
{
"at": "2.45.1+18.04.2",
"status": "unaffected"
},
{
"at": "2.45.1+20.04.2",
"status": "unaffected"
}
],
"lessThan": "2.45.1ubuntu0.2",
"status": "affected",
"version": "2.45.1",
"versionType": "custom"
}
]
}
]Related
5.9 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
6.3 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
12.7%